Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Image is still built even if GPG signature verification fails #3565

Open
arjunak234 opened this issue Feb 28, 2025 · 5 comments
Open

Image is still built even if GPG signature verification fails #3565

arjunak234 opened this issue Feb 28, 2025 · 5 comments

Comments

@arjunak234
Copy link

mkosi commit the issue has been seen with

25.3

Used host distribution

Debian Testing

Used target distribution

Debian stable

Linux kernel version used

NA

CPU architectures issue was seen on

x86_64

Unexpected behaviour you saw

This can be reproduced by replacing the debian keyring file with some other key.
cp /usr/share/keyrings/archlinux.gpg /usr/share/keyrings/debian-archive-keyring.gpg

The build process shows some verification errors but does not stop the image from being built. If debootstrap is used instead, it will exit with an error as expected

# debootstrap --force-check-gpg --include=udev,systemd stable debian2
I: Target architecture can be executed
I: Retrieving InRelease 
I: Checking Release signature
E: Release signed by unknown key (key id F8D2585B8783D481)
   The specified keyring /usr/share/keyrings/debian-archive-keyring.gpg may be incorrect or out of date.
   You can find the latest Debian release key at https://ftp-master.debian.org/keys.html

Used mkosi config

mkosi --distribution debian --release bookworm --format tar --package systemd,systemd-sysv,udev,dbus,apt -o debian

mkosi output

‣ Validating certificates and keys
‣ Syncing package manager metadata
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Err:1 http://security.debian.org/debian-security bookworm-security InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key ED541312A33F1128F10B1C6C54404762BBB6E853, which is needed to verify signature. Missing key B0CAB9266E8C3929798B3EEEBDE6D2B9216EC7A8, which is needed to verify signature.
Err:2 http://deb.debian.org/debian bookworm InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key A7236886F3CCCAAD148A27F80E98404D386FA1D9, which is needed to verify signature. Missing key 4CB50190207B4758A3F73A796ED0E7B82643E131, which is needed to verify signature. Missing key 4D64FEC119C2029067D6E791F8D2585B8783D481, which is needed to verify signature.
Hit:3 http://deb.debian.org/debian-debug bookworm-debug InRelease
Hit:4 http://deb.debian.org/debian bookworm-updates InRelease
Err:3 http://deb.debian.org/debian-debug bookworm-debug InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key A7236886F3CCCAAD148A27F80E98404D386FA1D9, which is needed to verify signature. Missing key 4CB50190207B4758A3F73A796ED0E7B82643E131, which is needed to verify signature. Missing key 4D64FEC119C2029067D6E791F8D2585B8783D481, which is needed to verify signature.
Err:4 http://deb.debian.org/debian bookworm-updates InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key A7236886F3CCCAAD148A27F80E98404D386FA1D9, which is needed to verify signature. Missing key 4CB50190207B4758A3F73A796ED0E7B82643E131, which is needed to verify signature.
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.debian.org/debian-security bookworm-security InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key ED541312A33F1128F10B1C6C54404762BBB6E853, which is needed to verify signature. Missing key B0CAB9266E8C3929798B3EEEBDE6D2B9216EC7A8, which is needed to verify signature.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian bookworm InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key A7236886F3CCCAAD148A27F80E98404D386FA1D9, which is needed to verify signature. Missing key 4CB50190207B4758A3F73A796ED0E7B82643E131, which is needed to verify signature. Missing key 4D64FEC119C2029067D6E791F8D2585B8783D481, which is needed to verify signature.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian-debug bookworm-debug InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key A7236886F3CCCAAD148A27F80E98404D386FA1D9, which is needed to verify signature. Missing key 4CB50190207B4758A3F73A796ED0E7B82643E131, which is needed to verify signature. Missing key 4D64FEC119C2029067D6E791F8D2585B8783D481, which is needed to verify signature.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian bookworm-updates InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key A7236886F3CCCAAD148A27F80E98404D386FA1D9, which is needed to verify signature. Missing key 4CB50190207B4758A3F73A796ED0E7B82643E131, which is needed to verify signature.
W: Failed to fetch http://deb.debian.org/debian/dists/bookworm/InRelease  Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key A7236886F3CCCAAD148A27F80E98404D386FA1D9, which is needed to verify signature. Missing key 4CB50190207B4758A3F73A796ED0E7B82643E131, which is needed to verify signature. Missing key 4D64FEC119C2029067D6E791F8D2585B8783D481, which is needed to verify signature.
W: Failed to fetch http://deb.debian.org/debian-debug/dists/bookworm-debug/InRelease  Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key A7236886F3CCCAAD148A27F80E98404D386FA1D9, which is needed to verify signature. Missing key 4CB50190207B4758A3F73A796ED0E7B82643E131, which is needed to verify signature. Missing key 4D64FEC119C2029067D6E791F8D2585B8783D481, which is needed to verify signature.
W: Failed to fetch http://deb.debian.org/debian/dists/bookworm-updates/InRelease  Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key A7236886F3CCCAAD148A27F80E98404D386FA1D9, which is needed to verify signature. Missing key 4CB50190207B4758A3F73A796ED0E7B82643E131, which is needed to verify signature.
W: Failed to fetch http://security.debian.org/debian-security/dists/bookworm-security/InRelease  Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key ED541312A33F1128F10B1C6C54404762BBB6E853, which is needed to verify signature. Missing key B0CAB9266E8C3929798B3EEEBDE6D2B9216EC7A8, which is needed to verify signature.
W: Some index files failed to download. They have been ignored, or old ones used instead.
‣ Copying repository metadata
‣ Building default image
‣  Installing Debian
@DaanDeMeyer
Copy link
Contributor

@arjunak234 I cannot find an option in apt's documentation that would allow us to configure it to fail in this case, so I don't think there's anything we can do in mkosi to fix this.

@arjunak234
Copy link
Author

I cannot find an option in apt's documentation that would allow us to configure it to fail in this case, so I don't think there's anything we can do in mkosi to fix this.

Can't debootstrap be used to generate the image? debootstrap --force-check-gpg --include=dbus,systemd stable debian is what i use.

This is a security risk. From the log output above, the files are being fetched over HTTP(without TLS). Someone who can compromise HTTP traffic or a debian mirror will now have root access to all your newly built containers. Also the "‣ Validating certificates and keys" message will give people a false sense of security that the packages are always being verified and build will not proceed in case of errors.

@behrmann
Copy link
Contributor

behrmann commented Mar 2, 2025

Can't debootstrap be used to generate the image? debootstrap --force-check-gpg --include=dbus,systemd stable debian is what i use.

No and yes, maybe.

Using debootstrap is incompatible with mkosi's architecture of using the package manager alone acting from outside the image. mkosi used debootstrap before and moved away from it many years ago. You may be able to use custom as distribution with a prepopulated tree.

Also, looking at what --force-check-gpg does, it seems to me, like it won't force proper keys either, it will just set https to your mirror if it's not already there?

This is a security risk. From the log output above, the files are being fetched over HTTP(without TLS).

Then use a mirror with HTTPS or make a local mirror, but we can only support what apt supports, so please open a bug against apt to add an option to fail loudly when it cannot verify signatures.

Also the "‣ Validating certificates and keys" message will give people a false sense of security that the packages are always being verified and build will not proceed in case of errors.

The message is unrelated to this, we can change that to make it clear that it's about something different.

@arjunak234
Copy link
Author

Using debootstrap is incompatible with mkosi's architecture of using the package manager alone acting from outside the image. mkosi used debootstrap before and moved away from it many years ago. You may be able to use custom as distribution with a prepopulated tree.

Can mmdebstrap be used then?

it will just set https to your mirror if it's not already there?

From what i can understand, by default it will try to use the keyring and HTTP. If the keyring is missing it will fallback to HTTPS. This option disables that fallback.

@DaanDeMeyer
Copy link
Contributor

Using debootstrap is incompatible with mkosi's architecture of using the package manager alone acting from outside the image. mkosi used debootstrap before and moved away from it many years ago. You may be able to use custom as distribution with a prepopulated tree.

Can mmdebstrap be used then?

Why? It's man page lists that --force-check-gpg is not supported. That's because what mmdebstrap does is more or less identical to what we do in mkosi.

it will just set https to your mirror if it's not already there?

From what i can understand, by default it will try to use the keyring and HTTP. If the keyring is missing it will fallback to HTTPS. This option disables that fallback.

Please work with the apt developers to have an option added to apt that disables the fallback and we will gladly enable it in mkosi.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants